If this is your first visit, be sure to
check out the Forum Rules by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Can some router prevent arp spoofing ?

Hi everyone,

I've got a small experience regarding arp spoofing. I managed to make it work with tools such as arpspoof, ettercap following the various tutorials of the site since backtrack 3. Recently I failed to arp spoof some routers with BT5 and I don't understand why. I can verify that the victim is arp spoofed by checking its arp table. And I can see some of the traffic going through the midm machine. But somehow it kills the internet connection of the victim. I think the problem is there (not sure though)

I've noticed the problem specifically on a router/box provided by my ISP which I can't manage to arp spoof. And the exact same process, same machine, on different router works perfectly. So my question is, are there some router with an anti arp spoof protection ? and if yes, is it possible to circumvent it ? Is there a different arp tool I can test ?

Riferimento: Can some router prevent arp spoofing ?

As far as I've tested MITM with ettercap I've never found an home router that prevented ARP spoofing, however I haven't a broad experience 'cause I'm only an amateur (forgive me for my bad english too).
I did some googling and I found these, it shows that it is possible to mitigate an ARP spoofing attack in well determined conditions, so it could be that some router implements such features but I don't think so not by now and not if your router isn't brand new XD
As I found in this paper(see scenario 3) from cisco systems, they developed something called ARP inspection (described in an human-readable form here in their blog). It seems to be something similar to your scenario (if I understood well): as they say in the blog, enabling ARP inspection will make the router drop strange ARP replies, but I think it's not your case 'cause I don't think you used professional routers such the one of the cisco's demo. In addition they talk about static ARP tables and again I don't think it's your case.

Answering your last question i think ARPSpoof and Ettercap are the best ones, I didn't searched for others 'cause it Always worked with them, but I think that if you google around for a while you'll find something...
If you find somethink keep me up to date! I'm interested in this topic too!

Also I noticed that I add "better" result when using arp:remote instead of only arp when using ettercap
- With only arp the arp spoof works (checked with arp -a on victim) but ettercap does not see any packet
- With arp:remote I can see the packets from the victim to the net but the way back

I've confirmed this with wireshark. And in any case there is no packet from the net to the victim.
Here is a screenshot of what I think is the problem. You'll see that the http request goes into a loop
of retransmission.

I'm not knowledgeable enough to detect the problem more precisely though.

Also I've made some test with wireshark and here is what I get
It's pretty obvious that no traffic goes back to the victime. But I'm not savvy enough to understand why.
What's really frustrating is that the same commands, config, machine etc work on other router :-/

Also I've made some test with wireshark and here is what I get
It's pretty obvious that no traffic goes back to the victime. But I'm not savvy enough to understand why.
What's really frustrating is that the same commands, config, machine etc work on other router :-/

Re: Can some router prevent arp spoofing ?

What is the Mac address of your router?
Ethernet frame as seen in your pics is encapsulating higher level protocols of level 3,4,7 so you must look at the source address of this ethernet frame if it is properly poisoned it will contain
you attacker mac address.
Maybe network stack in your backtrack machine is not forwarding properly all those packets sent through its interface?

Re: Can some router prevent arp spoofing ?

So following to this topics I managed to get it working when using another USB wifi key. I've no idea why. Both worked with all kind
of configuration but in the case of this specific router only one wifi key worked.

Re: Can some router prevent arp spoofing ?

Depends on the security application protecting the target, smart security by eset has options in the ids settings for arp attacks, dns poisoning etc which will protect the target from these attacks and also block the ip from further attacks.